Name | vet JSON |
Version |
0.1.1.post4
JSON |
| download |
home_page | None |
Summary | A poetry plugin for establishing chain of trust |
upload_time | 2024-04-01 01:05:17 |
maintainer | None |
docs_url | None |
author | Rafael Irgolic |
requires_python | <4.0,>=3.10 |
license | None |
keywords |
|
VCS |
|
bugtrack_url |
|
requirements |
No requirements were recorded.
|
Travis-CI |
No Travis.
|
coveralls test coverage |
No coveralls.
|
<div align="center">
# `vet`
A poetry plugin for establishing chain of trust
Inspired by [cargo-vet](https://github.com/mozilla/cargo-vet)
</div>
## Installation
Depending on how you installed poetry, you may need to install `vet` in a different way.
If you used the self-installer:
```bash
poetry self add vet
```
If you used pipx:
```bash
pipx inject poetry vet
```
If you used pip:
```bash
pip install vet
```
For more information and troubleshooting, see the [poetry plugin installation docs](https://python-poetry.org/docs/plugins/#using-plugins).
## Usage
### Initialization
Initialize `vet` in your project:
```bash
poetry vet init
```
This will create a [`chain-of-trust` directory](chain-of-trust/) in your project.
See the [generated README](chain-of-trust/README.md) for more information on how to configure `vet`.
### Running checks
To audit your project dependencies, run:
```bash
poetry vet
```
Dependencies are trusted to be either **safe to run** or **safe to deploy**.
Upon initialization, all dependencies in the `poetry.lock` file are exempt, deemed **safe to run**.
To vet dependencies as **safe to deploy**, run:
```bash
poetry vet --safe-to-deploy
```
For an example of how to run `vet` in GitHub CI, see [the `ci.yml` file in this repository](https://github.com/irgolic/vet/blob/main/.github/workflows/ci.yml#L15).
### Importing Audits
Modify the `config.toml` file as per the example in [the generated README](chain-of-trust/README.md#imports).
Then run:
```bash
poetry vet lock
```
This will download the audits from the trusted sources specified in the `config.toml` file and store them in the `import.lock` file.
### Auditing
Audit dependencies manually by adding entries in the `audits.toml` file as per the example in [the generated README](chain-of-trust/README.md#audit-file-auditstoml).
## Background
This was thrown together in an afternoon; after the [xz backdoor](https://boehs.org/node/everything-i-know-about-the-xz-backdoor) I thought we need better visibility into our dependency trees.
Raw data
{
"_id": null,
"home_page": null,
"name": "vet",
"maintainer": null,
"docs_url": null,
"requires_python": "<4.0,>=3.10",
"maintainer_email": null,
"keywords": null,
"author": "Rafael Irgolic",
"author_email": "hello@irgolic.com",
"download_url": "https://files.pythonhosted.org/packages/0f/e4/84066397b7bcc90d6021383f9ec6b0ed77d7a16f732c92dc4d19a75aff8f/vet-0.1.1.post4.tar.gz",
"platform": null,
"description": "<div align=\"center\">\n\n# `vet`\n\nA poetry plugin for establishing chain of trust \nInspired by [cargo-vet](https://github.com/mozilla/cargo-vet)\n\n</div>\n\n## Installation\n\nDepending on how you installed poetry, you may need to install `vet` in a different way.\n\nIf you used the self-installer:\n \n```bash\npoetry self add vet\n```\n\nIf you used pipx:\n\n```bash\npipx inject poetry vet\n```\n\nIf you used pip:\n\n```bash\npip install vet\n```\n\nFor more information and troubleshooting, see the [poetry plugin installation docs](https://python-poetry.org/docs/plugins/#using-plugins).\n\n## Usage\n\n### Initialization\n\nInitialize `vet` in your project:\n\n```bash\npoetry vet init\n```\n\nThis will create a [`chain-of-trust` directory](chain-of-trust/) in your project.\nSee the [generated README](chain-of-trust/README.md) for more information on how to configure `vet`.\n\n\n### Running checks\n\nTo audit your project dependencies, run:\n\n```bash\npoetry vet\n```\n\nDependencies are trusted to be either **safe to run** or **safe to deploy**. \nUpon initialization, all dependencies in the `poetry.lock` file are exempt, deemed **safe to run**.\n\nTo vet dependencies as **safe to deploy**, run:\n\n```bash\npoetry vet --safe-to-deploy\n```\n\nFor an example of how to run `vet` in GitHub CI, see [the `ci.yml` file in this repository](https://github.com/irgolic/vet/blob/main/.github/workflows/ci.yml#L15).\n\n### Importing Audits\n\nModify the `config.toml` file as per the example in [the generated README](chain-of-trust/README.md#imports).\n\nThen run:\n\n```bash\npoetry vet lock\n```\n\nThis will download the audits from the trusted sources specified in the `config.toml` file and store them in the `import.lock` file.\n\n### Auditing\n\nAudit dependencies manually by adding entries in the `audits.toml` file as per the example in [the generated README](chain-of-trust/README.md#audit-file-auditstoml).\n\n## Background\n\nThis was thrown together in an afternoon; after the [xz backdoor](https://boehs.org/node/everything-i-know-about-the-xz-backdoor) I thought we need better visibility into our dependency trees.\n",
"bugtrack_url": null,
"license": null,
"summary": "A poetry plugin for establishing chain of trust",
"version": "0.1.1.post4",
"project_urls": null,
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "1c342e74af29968a34d64e81d85d46722551a6b1ebbf93a4683a53e2705d8df7",
"md5": "dbe8c4a1c44825936d8cfff1054486e2",
"sha256": "f0a9cf28406c656b92f95da2bf182887d5f1a8586c4878308cedf36f55cf822c"
},
"downloads": -1,
"filename": "vet-0.1.1.post4-py3-none-any.whl",
"has_sig": false,
"md5_digest": "dbe8c4a1c44825936d8cfff1054486e2",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.10",
"size": 49555,
"upload_time": "2024-04-01T01:05:15",
"upload_time_iso_8601": "2024-04-01T01:05:15.457341Z",
"url": "https://files.pythonhosted.org/packages/1c/34/2e74af29968a34d64e81d85d46722551a6b1ebbf93a4683a53e2705d8df7/vet-0.1.1.post4-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "0fe484066397b7bcc90d6021383f9ec6b0ed77d7a16f732c92dc4d19a75aff8f",
"md5": "3b86664b6c9438553db6303ed3a87b96",
"sha256": "22915579241cabbd429812c83287fc8867fa05e1c1cbbfdd8a9fbbc79582d565"
},
"downloads": -1,
"filename": "vet-0.1.1.post4.tar.gz",
"has_sig": false,
"md5_digest": "3b86664b6c9438553db6303ed3a87b96",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.10",
"size": 46770,
"upload_time": "2024-04-01T01:05:17",
"upload_time_iso_8601": "2024-04-01T01:05:17.245605Z",
"url": "https://files.pythonhosted.org/packages/0f/e4/84066397b7bcc90d6021383f9ec6b0ed77d7a16f732c92dc4d19a75aff8f/vet-0.1.1.post4.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-04-01 01:05:17",
"github": false,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"lcname": "vet"
}